In a client-server environment, communications between the client and server will often need to be authenticated. Specifically, often one computing device communicates with another computing device (client and server) over a network to access certain services. In order to ensure the client and server are genuine, thereby maintaining identity and data integrity, authentication is required.
Several solutions exist for authenticating communications between a server and client. In one solution, the session can be authenticated with simple authentication. The majority of secure web servers on the Internet today use some form of simple authentication such as basic authentication or HTTP (Hyper Text Transfer Protocol) Post-based authentication over SSL/TLS (Secure Socket Layer/Transport Layer Security) to authenticate a session. Then, the authenticated session is identified by a token stored in or on the client in an HTTP cookie. This scheme is complex since it requires SSL/TLS. To properly support SSL and TLS, a client needs to include relatively strong cryptographic capabilities. For example, a public/private key system could be used. However, the use of such strong cryptographic capabilities on a simple client, such as a wireless data device or a personal digital assistant (PDA), may not be possible depending on the device. Further, if being used in a wireless environment, the use of this form of authentication requires numerous exchanges of information just to establish a channel. With wireless devices, the delays in the wireless space and the cost in terms of network bandwidth, battery life and data transmission costs may be too high.
An alternative solution is to use a simpler cryptographic method. Such schemes include challenge-response sequences such as NTLM (Windows NT LAN Manager) authentication. Referring to NTLM authentication, this is a Microsoft proprietary HTTP based challenge-response authentication mechanism that authenticates a TCP (transmission control protocol) connection. Since data integrity of HTTP traffic over NTLM authenticated connections is not protected, an HTTP message can be changed, removed or injected by an attacker. Thus, even though a session has been authenticated, data source authentication for HTTP messages is not guaranteed.
A more secure solution to the simple cryptographic method above is therefore required. However, the solution cannot be too computationally intensive in order to allow the solution to be widely implemented.